[oe] checksums situation
Vitus Jensen
vjensen at gmx.de
Wed Feb 25 21:27:02 UTC 2009
Am Tue, 24 Feb 2009 19:25:07 -0700 schrieb Tom Rini:
> On Tue, Feb 24, 2009 at 11:01:05PM -0300, Otavio Salvador wrote: [snip]
>> I do belive that the best way to solve it is to have a md5 file
>> together with the .bb recipe. This solves the problems for forks,
>> derivatives and also makes harder to just use "cat tmp/checksums.ini >>
>> conf/checksums.ini".
>
> Running a script that will make the .sum file isn't any harder really.
> And it's still a "this is the checksum we downloaded" not "this is the
> checksum upstream says is correct".
...
But "this is the checksum we downloaded" says that's it's the same
version the author of the .bb receipe downloaded, reviewed and tested on
his device. What is the probability that this author downloaded a
corrupt but working archive last november and you get the same corrupt
archive now?
If you want better security you have to ask the download source for a GPG
signature of his files or the like as MD5 isn't really safe.
Bye,
Vitus
--
Vitus Jensen, Hannover, Germany, Earth, Milky Way, Universe (current)
More information about the Openembedded-devel
mailing list